Visa Announces PCI Compliance Carrots to Go Along With Sticks

Hoping to push up compliance with its data-security rules, Visa USA on Tuesday announced first-ever incentives?including cash payments–to go along with new penalties for acquiring banks that serve the 1,200 largest Visa-accepting merchants. The carrot-and-stick package, intended to get acquirers to bring more merchants into compliance with the Payment Card Industry data-security standard, comes at a time when the compliance rate among the largest Visa merchants, the so-called Level 1 retailers, stands at 36%, Visa says. Level 2 merchants are complying at a 15% rate. Visa says the “majority” of merchants at both levels are “actively working toward compliance.” Together, these merchants generate about two-thirds of Visa's U.S. transactions. Merchants in both categories process at least 1 million Visa transactions annually, both online and at the point of sale, with Level 1 merchants processing at least 6 million. Part of the program calls for Visa to pour up to $20 million into a fund that will pay cash rewards to acquirers for large merchants that have already validated compliance or will by Aug. 31, 2007. Acquirers will be able to receive an unspecified one-time payment for each merchant they qualify by March 31. They will receive a lesser amount for each merchant qualified after March 31 but before Aug. 31. Each qualifying merchant also must not have been involved in a data breach. “Acquirers are encouraged to use the incentives to fund merchant-security compliance programs,” Visa says. The payments represent the first incentives Visa or any other major card network has offered for compliance with data-security rules. But the San Francisco-based card company, which has already meted out $4.6 million in PCI fines this year, up from $3.4 million in 2005, has new penalties in store, as well. Visa says it will fine acquirers between $5,000 and $25,000 per month for each large merchant not validated by Sept 30, 2007, for Level 1, and by Dec. 31, 2007, for Level 2. Moreover, acquirers will be liable for fines of up to $10,000 for each merchant not confirmed by March 31, 2007, to be in compliance with data-storage rules, meaning the merchant isn't storing full-track, card-verification, and PIN data. Another component of the new set of compliance measures, which collectively Visa calls its PCI compliance acceleration program (PCI CAP), involves the pricing acquirers pay card issuers. Beginning Oct. 1, 2007, acquirers that now enjoy reduced interchange rates on certain Visa and Interlink transactions will lose those breaks on transactions processed at non-compliant merchants. Visa, as well as MasterCard Worldwide, American Express Co., Discover Financial Services LLC, and other card networks introduced PCI in January 2005 as a response to card fraud stemming from data breaches. The rules require merchants and processors to adopt certain standard data-base security techniques, such as firewalls and non-default passwords. Also, merchants must avoid storing the so-called track data encoded in the magnetic stripes of cards. Besides rolling out its new compliance program, Visa also reported that it has validated more than 90 software products for point-of-sale card payments under its payment applications best practices (PABP) program, almost double the number in April. It says it has also explained PCI compliance to almost 2,000 merchants, acquirers, and processors in webinars it has conducted. And it says it presented PCI to more than 60,000 small businesses in a 12-city so-called merchant-data security tour held this year with the U.S. Chamber of Commerce (Digital Transactions News, June 26).